TL;DR

A Japan-based hotel check-in system, Tabiq, exposed over one million customer documents and photos due to a misconfigured cloud storage bucket. The data is now offline after TechCrunch alerted the company. The incident highlights ongoing cybersecurity risks from human error.

A hotel check-in system used across several hotels in Japan exposed over one million customer passports, driver’s licenses, and photos due to a cloud storage misconfiguration. The data was accessible online without authentication until the company, Reqrea, secured the storage after being alerted by TechCrunch. This incident underscores persistent cybersecurity vulnerabilities linked to human error.

The affected system, called Tabiq, is maintained by Reqrea, a Japan-based tech startup. It uses facial recognition and document scanning to verify guests during check-in. The exposed data included sensitive identity documents and selfie verification photos from guests worldwide, stored in an Amazon cloud bucket configured to be publicly accessible. The leak was discovered by independent security researcher Anurag Sen, who notified TechCrunch earlier this week. Upon receiving the alert, Reqrea promptly secured the bucket, which contained files dating back to 2020. The company has not confirmed whether any unauthorized access occurred before the fix, but is reviewing logs to determine if data was accessed.

Why It Matters

This incident highlights ongoing cybersecurity risks associated with human error and misconfiguration, particularly in cloud storage. Exposing sensitive personal data such as passports and driver’s licenses increases the risk of identity theft and fraud. It also raises concerns about the security of third-party verification systems used in travel and financial sectors, especially as governments and private companies rely more heavily on digital identity verification.

TOURSUIT RFID Blocking Passport Holder for Women Men, Leather Passport Travel Wallet with 3D Metal Badge, Travel Document Holder Cover Accessories (Dark Blue)

TOURSUIT RFID Blocking Passport Holder for Women Men, Leather Passport Travel Wallet with 3D Metal Badge, Travel Document Holder Cover Accessories (Dark Blue)

  • Multifunctional Storage: Holds passport, cards, tickets, and more
  • Organized Document Holder: Keeps travel essentials neatly arranged
  • RFID Blocking Security: Protects against unauthorized RFID scans

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background

Previous incidents include the exposure of government-issued IDs by services like Duc App and a data breach at Hertz affecting over 100,000 driver’s licenses. These lapses occur amid increasing use of digital identity checks for age verification and financial transactions, often involving third-party vendors. Amazon has added warnings to prevent accidental public exposure of cloud data, but errors still occur, often due to human oversight.

“The exposure of over one million identity documents due to a simple misconfiguration underscores how human error remains a critical vulnerability in cybersecurity.”

— Zack Whittaker, TechCrunch security editor

“We are conducting a thorough review with external legal counsel to determine the full scope of exposure.”

— Reqrea director Masataka Hashimoto

IDVisor Smart Plus ID Scanner - Drivers License and Passport Age Verification & Customer Management - Extra Large 5" LCD Screen, Charger Cradle, Hand Strap & More

IDVisor Smart Plus ID Scanner – Drivers License and Passport Age Verification & Customer Management – Extra Large 5" LCD Screen, Charger Cradle, Hand Strap & More

  • Universal ID Compatibility: Reads all US, Canadian, Military IDs
  • Fast Scanning: Scan in just 1 second
  • Long Battery Life: Operates over 12 hours per charge

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What Remains Unclear

It is not yet confirmed whether any unauthorized access occurred before the bucket was secured. Details about the number of affected individuals and whether the data was downloaded or misused remain unclear. The full scope of the breach is still under investigation.

Brother DS-640 Compact Mobile Document Scanner, (Model: DS640)

Brother DS-640 Compact Mobile Document Scanner, (Model: DS640)

  • Fast Scan Speeds: Up to 16 ppm for color and black & white
  • Portable Design: Compact size for mobile scanning
  • Versatile Connectivity: Powered via micro USB 3.0 cable

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What’s Next

Reqrea is expected to complete its investigation and notify affected individuals. The company may also implement additional security measures and review its data handling protocols. Monitoring of the incident’s impact and any potential misuse of data will likely continue in the coming weeks.

Face and Fingerprint Attendance Biometric Facial Recognition Machine Device Password Time Clock Voice Broadcast

Face and Fingerprint Attendance Biometric Facial Recognition Machine Device Password Time Clock Voice Broadcast

  • Multi-verification Methods: Facial, fingerprint, password
  • Fast Recognition Speed: Face in 1s, fingerprint in 0.7s
  • High Accuracy: Low FAR 0.0001%, FRR 0.01%

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How many people were affected by this data leak?

It is estimated that over one million documents, including passports and driver’s licenses, were exposed, but the exact number of individuals affected is still being determined.

Has the data been accessed or misused?

There is no confirmed evidence that the data was accessed or misused before the security was fixed, but investigations are ongoing to determine if any unauthorized access occurred.

What steps is the company taking to prevent future leaks?

Reqrea has secured the cloud storage and is reviewing its security protocols, including better access controls and staff training, to prevent similar incidents.

Could this happen again?

While Amazon has added warnings to reduce accidental exposure, human error and misconfiguration risks remain, so the possibility of future leaks cannot be entirely eliminated without ongoing vigilance.

You May Also Like

An AI hate wave is here

A significant increase in anti-AI sentiment has emerged online, sparking debate about the societal impact of artificial intelligence.

AI coding agents can be tricked into installing malware via ‘clean’ GitHub repositories — Mozilla’s 0din team shows how Claude Code can be exploited by its own helpfulness

Researchers demonstrate how AI coding tools like Claude can be tricked into installing malware through seemingly legitimate GitHub repositories, risking developer security.

Blog ran on Ubuntu 16.04 for 10 years. I migrated it to FreeBSD

A long-running blog shifts from Ubuntu 16.04 to FreeBSD, leveraging Jails and ZFS for improved security, performance, and cost savings on Hetzner VPS.

Japan’s SBI, Rakuten to sell crypto investment trusts developed in-house

SBI Securities and Rakuten Securities plan to sell cryptocurrency investment trusts developed internally, signaling a shift in Japan’s crypto investment landscape.